How to Improve the Security of Your Linux System with Firejail

Linux is always perceived as a more secure OS than its counterparts. However, that doesn’t mean it’s completely immune to viruses, worms, and other evil stuff. Like any other operating system, it has its own set of limitations, and a lot is dependent on how the individual uses it.

Of course, nothing can guarantee absolute protection, but there are ways that make life very hard for viruses, worms, and hackers in general. If you are looking for such a solution, look no further, as in this tutorial we’ll be discussing a software, called Firejail, that can improve the security of your Linux system.

Improve your system’s security

In order to boost your Linux box’s security, you need to install and use Firejail. It’s basically an SUID program that restricts the running environment of untrusted applications, reducing the risk of security breaches. Behind the scenes, what Firejail does is it enables a process as well as its children to have their own private view of the globally-shared kernel resources, including the network stack, process table, and mount table.

The application is written in C language and doesn’t have any dependencies. Of course, it has some requirements. For example, it’s only compatible with Linux machines running a 3.x kernel version or newer. As for what kind of processes the tool can sandbox, the answer is “any.” Yes, you can use it with servers and graphical applications, as well as games and user login sessions.

Installation

The download page comes with .tar, .deb and .rpm packages and also for both 32- and 64-bit architecture. Since I am using Ubuntu, I downloaded the .deb package and installed it using the GDebi package installer.

Usage

Now, to sandbox a process, all you have to do is to pass the corresponding application’s name as an argument to the firejail command. For example, to sandbox the Firefox web browser using Firejail, run the following command:

firejail firefox

While the output logs on the command line should be enough to give you the idea that Firefox is now running in a sandboxed form, to see how Firejail restricts the web browser’s access, try opening a file (File -> Open) from the Firefox window. You’ll see that the list of locations available to the app has been curtailed.

For comparison, here’s the list when Firefox is run without Firejail.

It’s worth mentioning that Firejail mounts a temporary “tmpfs” filesystem on top of the “/home/user” directory. Any files created in this directory will be deleted once the sandbox exits.

The tool includes security profiles for a large number of Linux programs. To give you a better idea on what exactly security profiles are, think of them as configuration files that contain rules defining, for example, which file accesses are allowed and which are not. For more information on Firejail sandboxing as well as how to create and customize security profiles, head to the tool’s documentation.

Those who aren’t much into the command line will be glad to know that there is a GUI for the Firejail security sandbox, and it’s known as Firetools. Built using Qt4/Qt5 libraries, this tool comes as a separate package. It provides a sandbox launcher integrated with the system tray, sandbox editing, management, and statistics.

To install Firetools, head to this page, download the package compatible with your system, and install accordingly. Once you are done with the installation part, run the utility using the following command:

firetools

Conclusion

It doesn’t matter which OS you are using, – you should never let the security aspect slip from your mind in the first place. And if your system contains sensitive information in the form of, say, documents, files, or pictures, system security should be at the top of your priority list. For Linux, the solution we’ve discussed in this article is easy to set up and use. Plus, a lot of documentation is available on it in case you need help. Do give it a try.

One comment

This article is incredibly ignorant of Linux security and Permissions! First, SUID is not a Linux term. The term is SetUID. And it’s an old UNIX term for a program or script which allows certain applications to operate with ELEVATED privileges. SetUID has nothing whatsoever to do with sandboxing.

Second, there is already a program in the Ubuntu Repositories called AppArmor, which does a much better and more granular job of restricting program or application permissions than SetUID can possibly do. And Ubuntu has a built-in firewall which is turned off by default. Activating AppArmor and downloading its Settings, then activating the Ubuntu Firewall, will offer better security than any SetUID program can possibly accomplish, and with little or no user configuration (thanks to the predefined Settings for AppArmor, which are updated regularly).

Why we need to place our faith in third-party upstarts like this one is beyond my comprehension. Inventing a program like this one is like reinventing the wheel. I would also like to see reviews about how many Linux programs crash or won’t launch at all when sandboxed by this type of program. Betcha the list is long.